Dorifel botnet attack hits Dutch local authorities hard

At least 30 local governments, universities and companies have had their systems infected with the XDocCrypt/Dorifel virus in the Netherlands since Wednesday, said the Dutch National Cyber Security Center (NCSC) on Friday. The virus was spread via a botnet called Citadel, which uses code that is based on the Zeus botnet.

The virus hit 3,000 machines globally, and 90 percent of those involved organizations based in the Netherlands, said Kaspersky Lab Expert David Jacoby in a blog post. "We have seen government departments and hospitals being victims," he wrote, adding that other countries with a large number of detected infections were Denmark, the Philippines, Germany, the U.S. and Spain.

It remains unclear if the attacks are specifically targeting governments and high profile companies in the Netherlands, said Jacoby. "This is nothing that we can confirm, but for some reason the vast majority of all the victims come from Netherlands."

The cities of Den Bosch, Venlo, Weert and Borsele are among the infected local Dutch governments, as well as Tilburg, Almere and the province of North-Holland among others, Dutch IDG news site Webwereld reported. The virus that was spread by the Citadel botnet is called Dorifel and infects Microsoft Word and Microsoft Excel documents as well as executable files, according to the NCSC. Microsoft calls the virus Quervar.B and notes that it has been observed contacting remote hosts in order to download files onto computers.

The virus spread via systems that were infected with Citadel for some time, infecting thousands of documents, the NCSC said. Dorifel is known as a banking Trojan designed to steal banking data and log-in credentials, it added. The virus damages Office files, rendering them unreadable via encryption, but the files are not destroyed.

If a user opens the file the virus can spread further via connected network discs, the NCSC said. The infection is activated after a system reboot and then starts looking for Office files.

The National Cyber Security Center identified the IP (Internet Protocol) addresses used for spreading the virus and advised system administrators to block access on firewalls, proxies and routers to IP addresses 184.82.162.163, 184.22.103.202 and the domains windows-update-server.com and wesaf341.org to avoid infections.

While most municipalities and the province of North Holland stated on Thursday they had solved the problems, Dorifel nevertheless managed to download new malware to 100 clients on Thursday evening, according to the Dutch security company Fox-IT.

"Today we received a task for xdoccrypt [Dorifel] which did not download the suggested Citadel, but instead downloaded the Hermes banking Trojan from 184.22.103.202 which we suggested to block in our initial post," wrote Michael Sandee, principal security expert at Fox-IT in a comment on the company's blog on Thursday. "The task was rolled out to only 100 clients suggesting that the actor is only testing the new Hermes bot," he added.

None of the 40 most used antivirus programs are currently able to detect the Hermes Trojan, according to VirusTotal, a service that analyzes suspicious files and URLs, Sandee noted in his comment.

Hermes has the ability to perform distributed-denial-of-service (DDoS) attacks and can execute remote shell attacks that can be used to run arbitrary commands on a remote computer, Fox-IT's founder and director Ronald Prins added on Twitter. The central machine of the Citadel botnet that is active in the Netherlands is located in the Ukraine, according to Prins.

The Citadel botnet, which was built on Zeus code, was discovered in December and provides AES encryption for configuration files as well as the possibility to block antivirus sites on infected computers and the ability to block automated botnet scanners.

Dutch citizens report that they are being harassed by phone spammers speaking poor English who pose as Microsoft employees offering to help remove the Dorifel virus, the NCSC said.

The callers try to sell fake and pricey antivirus products and ask for credit card data. People who go along with this trick are at risk of giving the attackers control of their PC, the NCSC warned.

The Dorifel virus is "under control" in the Netherlands, but there are some organizations that are still cleaning up their files and systems, the NCSC said on Friday. The IP address used by the botnet was blocked in cooperation with ISPs to prevent further spreading of the virus, it said, adding that since then it has received no additional virus reports.

"The NCSC expects there is a big chance that the worst is over but does not rule out the possibility that there will be more reports," the organization said.

Kasperky's Jacoby notes that Dorifel is active and infections are still increasing.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.